Skip to content

chore(deps): bump dcarbone/install-jq-action from 3 to 4#976

Merged
mbevc1 merged 1 commit into
mainfrom
dependabot/github_actions/dcarbone/install-jq-action-4
Jun 26, 2026
Merged

chore(deps): bump dcarbone/install-jq-action from 3 to 4#976
mbevc1 merged 1 commit into
mainfrom
dependabot/github_actions/dcarbone/install-jq-action-4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps dcarbone/install-jq-action from 3 to 4.

Release notes

Sourced from dcarbone/install-jq-action's releases.

v4.0.0

What's Changed

New Contributors

Full Changelog: dcarbone/install-jq-action@v3...v4.0.0

v3.2.0

What's Changed

New Contributors

Full Changelog: dcarbone/install-jq-action@v3.1.1...v3.2.0

v3.1.1

What's Changed

Full Changelog: dcarbone/install-jq-action@v3...v3.1.1

v3.1.0

What's Changed

Full Changelog: dcarbone/install-jq-action@v3...v3.1.0

v3.0.1

What's Changed

Full Changelog: dcarbone/install-jq-action@v3.0.0...v3.0.1

Commits
  • 4fcb506 feat: add jq 1.8.1 and 1.8.2, default to 1.8.2 (#27)
  • 09d2cff lil things
  • 9eee751 fix(ci): explicit exit 0 after Windows invalid-version loop
  • fdb041d ci: merge unit-tests.yaml into tests.yaml
  • a9c7393 docs+tests: prepare v4 release
  • 50f40aa fix(security): verify download integrity and harden install scripts (#25)
  • b39bdc2 Bump actions/checkout from 5 to 6 (#24)
  • 737621e no permissions
  • 04b1c99 Add permissions field to Linux setup workflow
  • 58388b8 limiting permissions (#23)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [dcarbone/install-jq-action](https://github.com/dcarbone/install-jq-action) from 3 to 4.
- [Release notes](https://github.com/dcarbone/install-jq-action/releases)
- [Commits](dcarbone/install-jq-action@v3...v4)

---
updated-dependencies:
- dependency-name: dcarbone/install-jq-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github-actions labels Jun 26, 2026
@mbevc1 mbevc1 enabled auto-merge (squash) June 26, 2026 09:43
@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Claude finished @dependabot[bot]'s task in 43s —— View job


Dependency upgrade review

  • Identify changed dependencies
  • Review changelog / release notes for breaking changes
  • Check repo usage of the dependency
  • Flag risks and suggest follow-ups

Dependency: dcarbone/install-jq-action v3 → v4 (major bump), used in exactly one place: .github/workflows/release.yml:153 (the goreleaser job).

What changed in v4

  • New default jq version: 1.8.2 (v3 defaulted to 1.7.1). The action is pinned only to the tag, with no version: input, so this upgrade silently changes the bundled jq from 1.7.1 → 1.8.2.
  • fix(security): verify download integrity and harden install scripts (PR #25) — adds checksum verification of the downloaded jq binary. This is a security improvement and should be transparent to consumers.
  • Internal CI bumps (actions/checkout 4→6) — no consumer impact.

Repo usage assessment

jq is used only in the Prepare artifacts list step (release.yml:202–223) plus a gh api --jq call (:48, which uses gh's built-in jq, not this action). The filters used are:
reduce, ltrimstr, string +, sub, and the -R / -s / -n / --argjson flags.

All of these are long-stable jq builtins/flags present in both 1.7 and 1.8 — none were removed or changed in semantics by jq 1.8. So the artifact-list generation should behave identically.

Risk: Low

  • The jq operations used are unaffected by the 1.7.1 → 1.8.2 change.
  • The new checksum verification could in theory fail on a transient/CDN issue, but that would surface as a clear install-step failure, not silent corruption.

Suggested follow-up

  • Because this action is only exercised in the release workflow (which doesn't run on PRs), this change won't be validated until the next release. Worth a quick eyeball of the Prepare artifacts list step output on the next release run, or a manual workflow_dispatch/dry-run if available, to confirm dist/artifacts.json is parsed correctly under jq 1.8.2.
  • Optional hardening: pin a version: input on the action (e.g. jq-version: '1.7.1') if you want the default jq version to be explicit and immune to future default bumps.

Note: I can't push changes to files under .github/workflows/ (the GitHub App lacks workflow write permission), but no code change is needed here — this PR looks safe to merge.
· dependabot/github_actions/dcarbone/install-jq-action-4

@mbevc1 mbevc1 merged commit 06cc3f5 into main Jun 26, 2026
13 checks passed
@mbevc1 mbevc1 deleted the dependabot/github_actions/dcarbone/install-jq-action-4 branch June 26, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github-actions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant